DHCP code in 2.0.4+

Alan DeKok aland at deployingradius.com
Fri Jun 5 19:39:46 CEST 2009

Martin Lorentz wrote:
> While playing around with the experimental DHCP code in the latest
> freeradius releases, I came across a problem where the DHCP packet is
> not recognized, when the Message-Type is not the first among the list of
> options.

  Yes... it is usually first, but it doesn't necessarily have to be.

> Currently, the code uses a static offset to look for the
> message type in the packet. A patch is enclosed to fix the problem by
> iterating through the available options, but will most likely need
> fixing by someone who knows how to code :-) It applies to 2.0.6 and
> works in the lab, though.

  It should apply to recent versions.

> Also, I'm interested to hear about the plans for DHCP in freeradius.

  "Take over the world".  I'm giving a talk at LinuxTag in a few weeks:


  Really... I'm astonished that in 2009, the most widely used DHCP
server doesn't do the new-fangled "database" thing.  It's bizarre.

> Personally, I'm evaluating a solution to assign static IPs based on the
> Agent-Circuit-Id without being tied to a specific MAC - something ISC
> dhcpd will not do by design.

  :)  There's a lot more of that in ISC DHCPd.  I could go on...

> This is supposed to eventually replace
> PPPoE connections from CPEs. I guess freeradius could someday be able to
> handle this since the backend data store is really flexible. While most
> users will probably use the DHCP code with a leases database, in our
> scenario the configuration would just hand out a static IP calculated
> from the values in the Agent-Circuit-ID, probably by making use of
> scripting.

  Exactly.  A configurable DHCP server is extremely valuable.

> Another suggestion with regards to the server design. Currently, the
> whole server needs to run as root to bind to port 67. That's not
> necessary for a RADIUS server binding only to ports above 1024. For the
> long run, would it be feasible to separate the DHCP server code into its
> own daemon, as a pure DHCP-to-RADIUS translator?

  Not really.  The longer-term goal is to gradually remove any knowledge
of RADIUS from the server core.

  For now, you can run two servers, one for port 67, and another for
port 1812.  Or, in 2.1.6, it can drop "root" permissions as soon as it's
running, which gives you much more confidence about security.

  Alan DeKok.

More information about the Freeradius-Users mailing list